Nice. I'll take a look today. No problem for the "user friendly" thing. I just want to practice with those vulnerabilites. 2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net>: > > On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul@gmail.com> wrote: > > > Do you know any Web app vulnerable to HQL Injection ? > > > Here's one I wrote and use for internal testing: > https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection > in two of the Controllers, e.g.: > https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy > > Best to download grails and run it from there so you can play with the > code. If you run: grails war, you can then copy the resulting .war file to > any servlet container like Tomcat, Jetty etc. > > Disclaimer: this wasn't really designed for public consumption, just for > my internal testing, so it's not as user friendly as DVWA and other > vulnerable apps. > > regards, > Stephen > > > >

Thanks for the share guys. PK On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR <aos.paul@gmail.com> wrote: > Nice. I'll take a look today. > > No problem for the "user friendly" thing. > I just want to practice with those vulnerabilites. > > > 2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net > >: > >> >> On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul@gmail.com> wrote: >> >> >> Do you know any Web app vulnerable to HQL Injection ? >> >> >> Here's one I wrote and use for internal testing: >> https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection >> in two of the Controllers, e.g.: >> https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy >> >> Best to download grails and run it from there so you can play with the >> code. If you run: grails war, you can then copy the resulting .war file to >> any servlet container like Tomcat, Jetty etc. >> >> Disclaimer: this wasn't really designed for public consumption, just for >> my internal testing, so it's not as user friendly as DVWA and other >> vulnerable apps. >> >> regards, >> Stephen >> >> >> >> > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

This is a very interesting chain. I cover some of these topics in my Black Hat class 'The Art of Exploiting Injection Flaws' http://blackhat.com/us-14/training/the-art-of-exploiting-injection-flaws.htm l --my 10 cents---- It's worth highlighting that when you encounter HQLi, your input is interpreted by hibernate. You have 2 attack vectors: 1. convince Hibernate that it should not manipulate your input and pass it to database. You can do this by using functions and injecting your "sql" as argument to functions. 2. Inject direct hibernate and let the resulting SQL compiled by hibernate to execute what you want to do on database level. In my experiments, 2 is rather difficult. Hibernate is very limited language and does not support union, order by and even comment characters. 1 would work but there are certain limitations. You cannot query tables which are not already mapped under hibernate's configuration. So, in my experiments you can only query tables which are already mapped. You can also return output of generic functions and keyword like @@version, user etc. beside this, you may also have a case of Hibernate calling a stored procedure and the injection point is actually in stored procedure. In which case, hibernate is just a medium to pass input to stored proc, and the injection will work like any sqli. -----end of 10 cents--- Thanks Sid Founder/Director NotSoSecure Limited, 9, Old Forge Way, Sawston, CB223BZ www.notsosecure.com <http://www.notsosecure.com> From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of prasanna.k Sent: 13 February 2014 09:57 To: Paul AMAR Cc: websecurity Subject: Re: [WEB SECURITY] Web App vulnerable to HQL Injection ? Thanks for the share guys. PK On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR <aos.paul@gmail.com <mailto:aos.paul@gmail.com> > wrote: Nice. I'll take a look today. No problem for the "user friendly" thing. I just want to practice with those vulnerabilites. 2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net <mailto:stephen@continuumsecurity.net> >: On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul@gmail.com <mailto:aos.paul@gmail.com> > wrote: Do you know any Web app vulnerable to HQL Injection ? Here's one I wrote and use for internal testing: https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection in two of the Controllers, e.g.: https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/contr ollers/net/continuumsecurity/ropeytasks/TaskController.groovy Best to download grails and run it from there so you can play with the code. If you run: grails war, you can then copy the resulting .war file to any servlet container like Tomcat, Jetty etc. Disclaimer: this wasn't really designed for public consumption, just for my internal testing, so it's not as user friendly as DVWA and other vulnerable apps. regards, Stephen _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi there, @Sid, thanks for those informations; I tried to get as much resource as I could and I started to develop a tool to exploit those HQL injections. Feel free to check it (and fork?) : https://github.com/PaulSec/HQLmap I just wanted something really simple to highlight those vulns. However, the next step would be to add a new dbms and integrate it in SQLmap which seems a good idea (thanks to Philippe). Cheers 2014-02-19 10:37 GMT+01:00 sid <sid@notsosecure.com>: > This is a very interesting chain. I cover some of these topics in my Black > Hat class 'The Art of Exploiting Injection Flaws' > > > > > http://blackhat.com/us-14/training/the-art-of-exploiting-injection-flaws.html > > > > --my 10 cents---- > > > > It's worth highlighting that when you encounter HQLi, your input is > interpreted by hibernate. You have 2 attack vectors: > > > > 1. convince Hibernate that it should not manipulate your input and pass it > to database. You can do this by using functions and injecting your "sql" as > argument to functions. > > 2. Inject direct hibernate and let the resulting SQL compiled by hibernate > to execute what you want to do on database level. > > > > In my experiments, 2 is rather difficult. Hibernate is very limited > language and does not support union, order by and even comment characters. > 1 would work but there are certain limitations. You cannot query tables > which are not already mapped under hibernate's configuration. So, in my > experiments you can only query tables which are already mapped. You can > also return output of generic functions and keyword like @@version, user > etc. > > > > beside this, you may also have a case of Hibernate calling a stored > procedure and the injection point is actually in stored procedure. In which > case, hibernate is just a medium to pass input to stored proc, and the > injection will work like any sqli. > > -----end of 10 cents--- > > > > Thanks > > Sid > > > > Founder/Director > > NotSoSecure Limited, > > 9, Old Forge Way, > > Sawston, > > CB223BZ > > www.notsosecure.com > > > > *From:* websecurity [mailto:websecurity-bounces@lists.webappsec.org] *On > Behalf Of *prasanna.k > *Sent:* 13 February 2014 09:57 > *To:* Paul AMAR > *Cc:* websecurity > *Subject:* Re: [WEB SECURITY] Web App vulnerable to HQL Injection ? > > > > Thanks for the share guys. > > > > PK > > > > On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR <aos.paul@gmail.com> wrote: > > Nice. I'll take a look today. > > No problem for the "user friendly" thing. > I just want to practice with those vulnerabilites. > > > > 2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net > >: > > > > On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul@gmail.com> wrote: > > > Do you know any Web app vulnerable to HQL Injection ? > > > > Here's one I wrote and use for internal testing: > https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection > in two of the Controllers, e.g.: > https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy > > > > Best to download grails and run it from there so you can play with the > code. If you run: grails war, you can then copy the resulting .war file to > any servlet container like Tomcat, Jetty etc. > > > > Disclaimer: this wasn't really designed for public consumption, just for > my internal testing, so it's not as user friendly as DVWA and other > vulnerable apps. > > > > regards, > > Stephen > > > > > > > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > >